2. The principles of GDPR (Article 5)
Personal data shall be processed under the following principles:
•
1) Lawfulness, fairness and transparency
•
2) Purpose limitation
•
3) Data minimization
•
4) Accuracy
•
5) Storage limitation
•
6) Integrity and confidentiality
3. Who does it apply to?
•
Businesses and organisations that
process personal data on behalf of
individuals known as data subjects.
•
GDPR compliance applies to Data
Controllers and Data Processors
4. What is data processing?
Processing of personal data includes the following:
• collecting, recording, storing, adapting, using,
disclosing and deleting data
• If you process data on behalf of employees or
customers, GDPR applies
GDPR is technology neutral. This means it protects
the personal data of data subjects regardless of the
technology used or how the personal data is stored.
• It applies to electronic and paper-based files
5. What is personal data?
Any information that identifies a
data subject.
• Name
• Address
• Telephone number
• Email address
• Date of birth
• online identifiers such as an IP
address and location data
& & &
6. What is sensitive personal data?
Sensitive data is personal data that relates to a person’s profile
including their:
• Race or ethnicity
• Political, religious or philosophical beliefs
• Sexual life or sexual orientation
• Health Physical and Mental
• Genetic or bio-metric data
• Criminal record
• Trade union membership
There are additional requirements for processing sensitive data
7. Legal Bases for processing personal data
• Consent
• Legal obligation
• Contractual obligation
• Vital interests
• Public interests
• Legitimate interests
8. The legal bases for processing sensitive data
Legal bases for processing sensitive data include
• Explicit consent
• Comply with EU, national law or collective agreements in relation to
employment, social security and social protection law
• The vital interests of a person
• A foundation, association or other not-for-profit body with a political,
philosophical, religious or trade union aim that processes data for its
members or people who regularly contact the organisation
• If the personal data was manifestly made public by the individual
• If the data is required for the establishment, exercise or defence of legal
claims
9. The legal bases for processing sensitive data –
cont.
• For reasons of substantial public interest
• For the purposes of preventive or occupational medicine,
assessing the working capacity of an employee, medical
diagnosis, the provision of health or social care/treatment, the
management of health or social care systems and its services or
on the basis of a contract as a health professional
• Is processed for reasons of public interest in the field of public
health
• Is processed for archiving, scientific or historical research
purposes or statistical purpose
10. What data do you process?
Do you process personal or
sensitive data on behalf of:
• Employees?
• Customers?
• Suppliers?
• Stakeholders?
If the answer is yes to any of
the above then GDPR applies
11. Assess your risk level
Under GDPR, businesses that
process personal data should
account for “the nature, scope,
context and purposes of the
processing.”
You need to assess what is the risk
level of your data processing
activities and what harm could be
caused to individuals if the data
12. Assess your Processing Activities
GDPR is particularly concerned with
processing activities that could pose the
following risks to data subjects:
• Discrimination
• Identity theft or fraud
• Financial loss
• Damage to reputation
• Loss of confidentiality
• Unauthorized reversal of
pseudonymisation
13. Assign your legal basis
Businesses must assign a legal bases to the personal data they
process. Consider if
•
This is the most appropriate legal basis for this data processing
activity?
•
If I choose legitimate interests as a legal basis can I
demonstrate it is a legitimate business interest? Can I show
that it is necessary? Can it be balanced against the individual’s
interests, rights and freedoms.
•
Take time to consider what legal bases is best suited to a
particular processing activity as you cannot change it halfway
through.
14. Data Inventory
Make an inventory of all the
personal data that you process.
• Types of data?
• How did you obtain it?
• Why was it originally gathered?
• How long will you retain it?
• How secure is it, both in terms
of encryption and accessibility?
• Do you ever share it with third
parties and on what basis might
you do so?
15. Manage consent
Consent can be an effective legal basis for direct
marketing activities, in particular for electronic
communications. However there are stricter
requirements when relying on consent.
Under GDPR consent must be:
• Freely given
• Specific
• Informed
• Unambiguous - the data subject has indicated consent
by a clear affirmative action such as an opt in.
Revisit old consent and ensure it meets GDPR standards
16. Manage consent cont..
In addition consent relies on four conditions:
• Businesses must demonstrate that the data subject has given
their consent
• Written consent notices must be separate from other notices, be
in an easily accessible form using clear and plain language
• The data subject has the right to withdraw consent at any time. It
must be as easy to withdraw consent as it was to grant it and they
must be informed of this before their data is processed
• Care is needed to ensure that any consent freely given is not
conditional or tied to the performance of a contract or the
provision of a service
17. Communicate Privacy Information
Update privacy notices by May 25th
• Name and contact details of the business
• The purpose for using the data
• The use(s) that the data will be put to
• The legal basis for processing data
• Retention periods or criteria for holding data
• Processing for legal or statutory requirements
18. Communicate Privacy Information cont...
•
The rights of the individual
• Who the data will be disclosed to
• Any legitimate interests of the business or its third parties
• Any automated decision making processes (if applicable)
• Details of data that is transferred outside of the EU and how
it is safeguarded (if applicable)
• The right to complain to the Data Protection Commission
19. Review contracts with 3rd party suppliers
If you outsource the processing of personal data to a data processor such
as a cloud services company, credit card supplier or other service
provider you must ensure the following:
• That they comply with GDPR
• They do not engage another data processer without your knowledge
and authorisation
• They only process the personal data that is in the written agreement
• You have sought and been given assurances regarding their appropriate
security and organisational measures
20. Manage data access requests
Access requests by data subjects must be processed within one month
and are free of charge. An administrative fee can be applied for excessive
data requests.
Businesses should put in a process for managing data access requests
• Staff recognise and pass data access request to the appropriate person
• Ensure that the data access request is processed within one month
• Manage excessive or multiple data access requests
• Documented reasons for refusing data access requests that are
unfounded or excessive
21. Information to provide to Data Subjects
• The reason/s for processing their data
• The categories of personal data that relates to them
• If any 3rd parties including third countries have access to their data
and how it is protected and safeguarded
• The length of time that the personal data will be held for
• The right to have personal data to be updated, erased or restricted
• How to lodge a complaint with the Data Protection Commissioner
• How you obtained their personal data
• Any automatic profiling and the significance of it on their personal
22. Data Security
Businesses need to ensure that
both their organizational and
technical measures safeguard and
protect personal data. This applies
to:
•
IT security
•
Physical Security
•
Organizational Security
23. Train your staff
All staff should be trained on:
• What is GDPR
• Policies and procedures for
GDPR
• Dealing with data access
requests
• Keeping personal data secure
• Following organizational
procedures and guidelines
• Following the correct procedure
in relation to a data breach
24. Data Breaches
GDPR requires that businesses must
notify the Data Protection
Commission within 72 hours of
becoming aware of a data breach if it
poses a risk to the rights and
freedoms of a data subject.
Data breaches that could bring harm
to an individual – such as identity
theft or breach of confidentiality
must also be reported to the
individuals concerned.
25. Respond to Data Breach
A response plan should include the following :
• The key individuals that will form an incident
response team
• Contact details of key experts including a forensic IT
expert, legal counsel with data protection expertise
• How to communicate with the DPC within the 72
hour time-frame
• A contingency plan for a dedicated customer
service line in the case of significant breaches
• How to respond to material and non-material
claims if they arise
Logging of Personal Data Breaches
26. Review Regularly and update
GDPR does not stop once 25 May arrives. Businesses will need to review
and refresh as it changes or grows and should factor in the following on a
regular basis:
• Check and refresh consent where necessary
• Review personal data on an annual basis – remove outdated /
unnecessary data & Train staff annually
• Review your internal policies and procedures in relation to data
processing
• Review security and organizational methods of data processors
• For new data processing projects that could pose a high risk to the
privacy rights of individuals consider if Data Protection Impact Assessment
is needed
27. Use the SHH app @shhsystems.com to start
your GDPR journey today!